Analysing a Cryptocurrency phishing attack that earns $15K in two hours

I sometimes play around with Cryptocurrency. Yesterday I received a phishing e-mail on an e-mail address that was only submitted to the Kin Foundation (a new ICO). To be precise my unique address was submitted to the Kin Token Pre-Registrations mailing list (catchall e-mail FTW).

Phishing is becoming already be a well-known phenomenon through awareness-raising campaigns and online reporting of several big hacks throughout this type of attack: Criminals try to get the login information for all type of accounts through legitimate-looking emails. By tempting potential victims to enter their username and password on a website, the cybercriminals are able to access to confidential data and/ or financials for their personal gain.

In some way, the attackers were able to obtain my unique e-mail address from this mailing list, I decided to investigate the phishing attack a little bit further! The e-mail contained a link to some click services at em.polagr.am, when following the link, a redirect was performed to xn--myetherwalle-9me.com:

The domain xn--myetherwalle-9me.com is a Unicode domain which makes it hard to discern from the real domain. The Unicode trick is used in order to make it difficult to distinguish, as shown below. Never played around with the Unicode trick, so had issues to see the differences myself.

Behind the phishing domain, a myetherwallet.com clone is present (note the weird “t” with a T-comma underneath the letter, my humble respect for the Unicode trick! To bad they use it in a malicious way).

The webpage is a one-on-one clone of the real MyEtherWallet.com website. Also, HTTPS was implemented using the free Let’s Encrypt service.

So, let’s enumerate any files on the webserver, we might have a lucky shot and obtain more information about the phishing site. During the enumeration, an error_log was discovered, with some PHP error occurred on 10-10-2017:

Also, a log.txt file was discovered. This file contained uploaded wallets. However, after taking a look into this file, it seems to be test data from the phishers, as these uploads were performed on 10-10-2017 as well, exactly around the time of the PHP-error.

Rik van Duijn, one of my colleagues, at this point jumped into the investigation as well. We decided to keep enumerating files on the webserver and had some luck finding the live logging file. When enumerating ZIP-files, it became clear that a ZIP-file was present. Yay! Source code.

After opening a.php, the live log file name was discovered:

After opening the file through the browser, a complete log file of all stolen wallets was returned:

After analyzing the live log, it became clear that one of the victims wallets lost 42.50 ETH. 42 ETH was equal to $12,577.63 around the time of the phishing attack:

The total amount of ETH earned on the address from the attackers is 52.56 ETH which was equal to $15,875.65:

This morning, the attackers sent 3 times 16.5 ETH ($4,847.37) to 3 different ETH addresses. In other words: the attackers were able to obtain my e-mail address from the Kin Foundation mailing list in some way, performed a very well setup phishing attack and were able to obtain about $15.000 in 2 hours. I contacted the domain register of the Unicode domain. However, this is “bulletproof” hosting provider, not sure whether they will take it offline. Next to this we contacted appropriate authorities to initialize a notice and take down.